Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Feb 5, 2025 · eca57cf · eca57cf
1 parent faddf2f
commit eca57cf
Show file tree

Hide file tree

Showing 11 changed files with 87 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1708-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1709-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1553,6 +1553,7 @@ credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking w
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,4,Copy Keychain using cat utility,5c32102a-c508-49d3-978f-288f8a9f6617,sh
 credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1003.004,OS Credential Dumping: LSA Secrets,2,Dump Kerberos Tickets from LSA using dumper.ps1,2dfa3bff-9a27-46db-ab75-7faefdaca732,powershell
 credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell

diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -193,6 +193,7 @@ credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remo
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,4,Copy Keychain using cat utility,5c32102a-c508-49d3-978f-288f8a9f6617,sh
 credential-access,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 credential-access,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash

diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2155,6 +2155,7 @@
   - Atomic Test #1: Keychain Dump [macos]
   - Atomic Test #2: Export Certificate Item(s) [macos]
   - Atomic Test #3: Import Certificate Item(s) into Keychain [macos]
+  - Atomic Test #4: Copy Keychain using cat utility [macos]
 - [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
   - Atomic Test #2: Dump Kerberos Tickets from LSA using dumper.ps1 [windows]

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -90781,6 +90781,26 @@ credential-access:
           '
         name: sh
         elevation_required: false
+    - name: Copy Keychain using cat utility
+      auto_generated_guid: 5c32102a-c508-49d3-978f-288f8a9f6617
+      description: 'This command will copy the keychain using the cat utility in a
+        manner similar to Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        keychain_export:
+          description: Specify the path to copy they keychain into.
+          type: path
+          default: "/tmp/keychain"
+      executor:
+        command: 'cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
+
+          '
+        cleanup_command: 'rm #{keychain_export}'
+        name: sh
+        elevation_required: false
   T1003.004:
     technique:
       modified: '2024-08-13T15:49:17.591Z'

diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
@@ -49872,6 +49872,26 @@ credential-access:
           '
         name: sh
         elevation_required: false
+    - name: Copy Keychain using cat utility
+      auto_generated_guid: 5c32102a-c508-49d3-978f-288f8a9f6617
+      description: 'This command will copy the keychain using the cat utility in a
+        manner similar to Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        keychain_export:
+          description: Specify the path to copy they keychain into.
+          type: path
+          default: "/tmp/keychain"
+      executor:
+        command: 'cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
+
+          '
+        cleanup_command: 'rm #{keychain_export}'
+        name: sh
+        elevation_required: false
   T1003.004:
     technique:
       modified: '2024-08-13T15:49:17.591Z'

diff --git a/atomics/T1555.001/T1555.001.md b/atomics/T1555.001/T1555.001.md
@@ -14,6 +14,8 @@ Adversaries may gather user credentials from Keychain storage/memory. For exampl
 
 - [Atomic Test #3 - Import Certificate Item(s) into Keychain](#atomic-test-3---import-certificate-items-into-keychain)
 
+- [Atomic Test #4 - Copy Keychain using cat utility](#atomic-test-4---copy-keychain-using-cat-utility)
+
 
 <br/>
 
@@ -119,4 +121,41 @@ security import #{cert_export} -k
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Copy Keychain using cat utility
+This command will copy the keychain using the cat utility in a manner similar to Atomic Stealer.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 5c32102a-c508-49d3-978f-288f8a9f6617
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| keychain_export | Specify the path to copy they keychain into. | path | /tmp/keychain|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
+```
+
+#### Cleanup Commands:
+```sh
+rm #{keychain_export}
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1555.001/T1555.001.yaml b/atomics/T1555.001/T1555.001.yaml
@@ -57,6 +57,7 @@ atomic_tests:
     elevation_required: false
 
 - name: Copy Keychain using cat utility
+  auto_generated_guid: 5c32102a-c508-49d3-978f-288f8a9f6617
   description: |
     This command will copy the keychain using the cat utility in a manner similar to Atomic Stealer.
   supported_platforms:

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
@@ -1732,3 +1732,4 @@ a3cc9c95-c160-4b86-af6f-84fba87bfd30
 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
 e04d2e89-de15-4d90-92f9-a335c7337f0f
 87a4a141-c2bb-49d1-a604-8679082d8b91
+5c32102a-c508-49d3-978f-288f8a9f6617